mDNS no longer Disabled
Reported by
she...@gmail.com,
May 10 2016
|
||||
Issue description
Chrome Version : 52.0.2729.3 (Official Build) dev (64-bit)
URLs (if applicable) : N/A
Other browsers tested:
Add OK or FAIL, along with the version, after other browsers where you
have tested this issue:
Safari:
Firefox:OK
IE:
What steps will reproduce the problem?
(1) Disable QUIC protocol in chrome://flags
(2) Restart Browser
(3) See mDNS needlessly running on port 5353
What is the expected result?
mDNS should not be running and creating needless attack surface.
What happens instead?
mDNS is running even with QUIC disabled.
Please provide any additional information below. Attach a screenshot if
possible.
Disabling QUIC in prior versions prevented this attack surface from being exposed.
mDNS should have a simple flag or setting to disable this significant attack surface. If the only port I have open on my machine is from the chromium/chrome browser, there is a huge problem. I do not want or need this extra attack surfac eof a listening port in my browser.
,
Jun 3 2016
Defect is still present in Version 52.0.2743.19 dev (64-bit). I really would like to get this unnecessary attack surface removed from my network. Thanks.
,
Jun 4 2016
I will double-check, but don't think that mDNS setting has ever been tied to QUIC.
,
Jun 17 2016
mDNS is used by Cloud Print for local discovery.
,
Jun 21 2016
bblietz: Are there ways to disable mDNS for Cloud Print (options, enterprise policies, command line flags, etc.)?
,
Jul 6 2016
Thanks for clarifying this is a defect in the Cloud Print subsystem.
Here's a simple resource exhaustion denial of service attack against the unnecessary use of mDNS:
dd if=/dev/urandom bs=262545 |nc -u 192.168.5.103 5353
It just requires netcat. Cloud Print has been a complete disaster for user experience and certainly security.
I can find no flag or switch to disable this risky behavior. There is no longer any way to disable the useless Cloud Print in chrome/chromium.
I would prefer that the answer is not "Use Firefox, it's more secure and doesn't run unnecessary daemons without permission."
Thanks.
,
Jul 6 2016
More to the point, it appears using chrome on Linux with Google Cloud print is not supported. The Cloud Print website points Linux users to a CUPS connector. Support for "Classic Printers" https://support.google.com/cloudprint/answer/1686197?rd=1 To quote from the above link: Before connecting your classic printer, confirm if you have: Google Chrome. And if you’re using Windows XP, the Windows XP Service Pack 3 (SP3). Windows or Mac computer CUPS Connector https://support.google.com/a/answer/2906017 Why would mDNS be enabled for Cloud Print on a platform that doesn't even support it? This is a clear failure of Google's Secure Development Lifecycle governance framework.
,
Nov 1 2016
This horrible behavior of running a mDNS daemon on Linux has stopped. The problem is no longer present in 56.0.2902.0.
,
Nov 7 2016
Mark it as Wont-Fix as per comment#8.Feel free to raise a new issue if sill facing. Thank you! |
||||
►
Sign in to add a comment |
||||
Comment 1 by rtenneti@chromium.org
, May 11 2016